CN106790299B - Wireless attack defense method and device applied to wireless Access Point (AP) - Google Patents
Wireless attack defense method and device applied to wireless Access Point (AP) Download PDFInfo
- Publication number
- CN106790299B CN106790299B CN201710165669.XA CN201710165669A CN106790299B CN 106790299 B CN106790299 B CN 106790299B CN 201710165669 A CN201710165669 A CN 201710165669A CN 106790299 B CN106790299 B CN 106790299B
- Authority
- CN
- China
- Prior art keywords
- message
- attribute information
- messages
- wireless
- attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 230000007123 defense Effects 0.000 title claims abstract description 70
- 238000000034 method Methods 0.000 title claims abstract description 44
- 238000001914 filtration Methods 0.000 claims description 28
- 238000001514 detection method Methods 0.000 claims description 18
- 238000004891 communication Methods 0.000 abstract description 3
- 238000010586 diagram Methods 0.000 description 12
- 101100059544 Arabidopsis thaliana CDC5 gene Proteins 0.000 description 10
- 101150115300 MAC1 gene Proteins 0.000 description 10
- 238000004590 computer program Methods 0.000 description 7
- 101100244969 Arabidopsis thaliana PRL1 gene Proteins 0.000 description 5
- 102100039558 Galectin-3 Human genes 0.000 description 5
- 101100454448 Homo sapiens LGALS3 gene Proteins 0.000 description 5
- 101150051246 MAC2 gene Proteins 0.000 description 5
- 230000006870 function Effects 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 238000012545 processing Methods 0.000 description 5
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 101100289995 Caenorhabditis elegans mac-1 gene Proteins 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 230000008260 defense mechanism Effects 0.000 description 2
- 206010033799 Paralysis Diseases 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The embodiment of the invention relates to the technical field of communication, in particular to a wireless attack defense method and a wireless attack defense device applied to a wireless Access Point (AP), which are used for timely and effectively defending wireless attacks. Receiving a plurality of messages within a preset time length; analyzing each message in the plurality of messages, and determining attribute information of each message in the plurality of messages; the attribute information comprises the message type and the source address of the message; determining a message corresponding to the attribute information in a plurality of messages as an attack message under the condition that the number of the messages corresponding to the attribute information is larger than the message type number threshold corresponding to the attribute information aiming at each attribute information in all the attribute information corresponding to the plurality of messages; deleting the message determined as the attack message through a driving module of the wireless access point; thereby timely and effectively defending against wireless attack.
Description
Technical Field
The embodiment of the invention relates to the field of communication, in particular to a wireless attack defense method and a wireless attack defense device applied to a wireless Access Point (AP).
Background
With the development of wireless networks, people's lives are more and more dependent on networks. Under the current wireless network environment, malicious wireless network attack behaviors can often occur, and a wireless attack defense mechanism becomes a key point for guaranteeing the security of a wireless network.
The existing Wireless attack defense mechanism mainly adopts a mode of combining a Wireless Access Point (AP) and a Wireless centralized Controller (AC), wherein the AC is used for centralized management of the Wireless AP, and the Wireless AP is accessed to a plurality of network devices; after the kernel module determines the attack message, the wireless AP really determines the MAC address of the attacker, and uploads a Media Access Control (MAC) address to the AC, and the AC intercepts the attacker by using a corresponding policy.
The wireless attack defense method in the prior art has high time-delay performance, after a wireless attack behavior is detected and before an AC takes no measures, a communication network of a wireless AP is already in a paralyzed state or even a suspended state, the wireless attack defense cannot be carried out in time, and the wireless attack defense efficiency is low. Therefore, a wireless attack defense method is needed to perform wireless attack defense timely and effectively.
Disclosure of Invention
The embodiment of the invention provides a wireless attack defense method and a wireless attack defense device applied to a wireless AP (access point), which are used for timely and effectively defending wireless attacks.
The embodiment of the invention provides a wireless attack defense method applied to a wireless AP, which comprises the following steps: receiving a plurality of messages within a preset time length; analyzing each message in the plurality of messages, and determining attribute information of each message in the plurality of messages; the attribute information comprises the message type and the source address of the message; and determining the message corresponding to the attribute information in the plurality of messages as an attack message under the condition that the number of the messages corresponding to the attribute information is larger than the message type number threshold corresponding to the attribute information aiming at each attribute information in all the attribute information corresponding to the plurality of messages.
The embodiment of the invention provides a wireless attack defense method and a device applied to a wireless AP, which comprise the following steps: the message receiving module is used for receiving a plurality of messages within a preset time length; the message analysis module is used for analyzing each message in the plurality of messages and determining the attribute information of each message in the plurality of messages; the attribute information comprises the message type and the source address of the message; the message counting module is used for counting the number of the messages corresponding to the attribute information aiming at each attribute information in all the attribute information corresponding to the plurality of messages; the message filtering module is used for determining the message corresponding to the attribute information in the plurality of messages as an attack message under the condition that the number of the messages corresponding to the attribute information is larger than the threshold value of the number of the message types corresponding to the attribute information; and deleting the message determined as the attack message through a driving module of the wireless AP.
In the embodiment of the invention, the wireless attack defense device receives a plurality of messages within a preset time length; analyzing each message in the plurality of messages, and determining attribute information of each message in the plurality of messages; the attribute information comprises the message type and the source address of the message; determining a message corresponding to the attribute information in a plurality of messages as an attack message under the condition that the number of the messages corresponding to the attribute information is larger than the message type number threshold corresponding to the attribute information aiming at each attribute information in all the attribute information corresponding to the plurality of messages; therefore, the attack message can be effectively determined; deleting the message determined as the attack message through a driving module of the wireless AP, so that on one hand, the attack message is deleted, the wireless attack defense is effectively carried out, and the attack message is prevented from entering a kernel module of the wireless AP; on the other hand, after the attack message is determined, the attack message is deleted through the driving module of the wireless AP, the information of the attack message does not need to be uploaded to the wireless centralized controller, and then wireless attack defense is carried out in time.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings that are required to be used in the description of the embodiments will be briefly described below.
Fig. 1 is a schematic diagram of a wireless attack defense system applied to a wireless AP according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of a wireless attack defense method applied to a wireless AP according to an embodiment of the present invention;
fig. 3 is a schematic flowchart of another wireless attack defense method applied to a wireless AP according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a wireless attack defense device applied to a wireless AP according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more clearly apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Fig. 1 is a schematic diagram illustrating an architecture of a wireless attack defense system applied to a wireless AP, where the wireless attack defense system includes a wireless AP and a plurality of network devices accessing the wireless AP, and as shown in fig. 1, the architecture 100 of the wireless attack defense system includes a wireless AP110, a network device 120, a network device 130, and a network device 140; wireless AP110 connects network device 120, network device 130, and network device 140; the wireless AP110 includes a driver module 111, a kernel module 112, an application module 113, and a wireless attack defense device 114, where the wireless attack defense device 114 is disposed in the driver module 111.
In the embodiment of the present invention, any two network devices communicate with each other, the network device at one end first sends a message to the wireless AP110, and the wireless AP110 sends the received message to the network device at the other end; for example, the process of sending a packet to the network device 130 by the network device 120 is: network device 120 sends a message to wireless AP110, and after receiving the message, wireless AP110 sends the message to network device 130. The wireless AP110 receives a plurality of messages sent by the network device 120, the network device 130, and the network device 140 within a preset time period, and then performs wireless attack detection and defense through the wireless attack defense device 114.
The embodiment of the invention provides a wireless attack defense device 114, which comprises a message receiving module, a message analyzing module, a message counting module and a message filtering module; the message receiving module is used for receiving a plurality of messages within a preset time length; the message analysis module is used for analyzing each message in the plurality of messages to obtain attribute information of each message; the message counting module is used for counting the number of messages corresponding to each attribute information in all the attribute information corresponding to the plurality of messages; and the message filtering module is used for determining attack messages in the plurality of messages and deleting the attack messages. Based on the wireless attack defense device 114 provided in the above embodiment, the embodiment of the present invention provides another wireless attack defense device 114, which further includes a timer detection module, configured to send instruction information to the message filtering module, so that the message filtering module determines an attack message.
Fig. 2 is a schematic flowchart illustrating a wireless attack defense method applied to a wireless access point AP according to an embodiment of the present invention.
Based on the system architecture shown in fig. 1, as shown in fig. 2, a method for defending against a wireless attack applied to a wireless AP according to an embodiment of the present invention includes the following steps:
step S201: the wireless attack defense device receives a plurality of messages within a preset time length;
step S202: the wireless attack defense device analyzes each message in the plurality of messages and determines attribute information of each message in the plurality of messages; the attribute information comprises the message type and the source address of the message;
step S203: the wireless attack defense device determines the message corresponding to the attribute information in the plurality of messages as an attack message under the condition that the number of the messages corresponding to the attribute information is larger than the message type number threshold value corresponding to the attribute information aiming at each attribute information in all the attribute information corresponding to the plurality of messages;
step S204: and deleting the message determined as the attack message through a driving module of the wireless AP.
In step S201 of the embodiment of the present invention, the preset duration is set according to the actual application requirement, and is not specifically limited herein; for example, the preset duration is 2 seconds, the wireless attack defense device receives a plurality of messages within 2 seconds, and step S202, step S203 and step S204 are continuously executed; repeatedly executing step S201, step S202, step S203 and step S204 within the next 2 seconds; optionally, the multiple messages received by the wireless attack defense apparatus may be messages sent by multiple network devices, or may be messages sent by one network device.
In step S202 in the embodiment of the present invention, optionally, all attribute information corresponding to a plurality of messages may be the same or different. The attribute information is the same, that is, the message types are the same and the source addresses are the same; the attribute information is different, and the following conditions are included: the method comprises the following steps that in the first case, message types are the same and source addresses are different; in the second case, the message types are different and the source addresses are the same; and in case three, the message types are different and the source addresses are different.
For example, the wireless attack defense device receives four messages, wherein the attribute information of each of the four messages is the same, for example, the message types of the four messages are all related messages, and the source addresses are all MAC 1; or, the attribute information in the four messages is different, for example, the message types of three of the four messages are related messages, the source address is MAC1, the message type of the remaining one message is an authentication message, and the source address is MAC 1; for another example, two of the four messages have the message type of authentication message and the source address of MAC1, and the other two messages have the message type of authentication message and the source address of MAC 2.
In step S203 in the embodiment of the present invention, the threshold of the number of types of messages is set according to actual application requirements, which is not specifically limited herein. The message type quantity thresholds corresponding to the messages of all types can be the same or different; for example, the message type includes an authentication message and an association message, the threshold of the number of authentication messages is set to 32, and the threshold of the number of association messages is set to 35; the wireless AP is accessed into two network devices, namely a network device I and a network device II; the address of the first network device is MAC1, and the address of the second network device is MAC 2; the network equipment sends 66 messages to the wireless AP, wherein the messages are respectively 30 authentication messages and 36 association messages; the network equipment sends 70 messages to the wireless AP, wherein the messages are respectively 40 authentication messages and 30 association messages; then, for 66 messages with the source address of MAC1, the number 36 of associated messages is greater than the threshold value 35 of the number of associated messages, and it can be determined that the associated message with the source address of MAC1 is an attack message; for 70 messages with the source address of MAC2, the number 40 of authentication messages is greater than the authentication message number threshold 32, and it can be determined that the authentication message with the source address of MAC2 is an attack message.
To describe how to determine an attack packet more clearly according to the attribute information of each packet, an embodiment of the present invention provides an example of attribute information of multiple packets, for example, a preset duration is 2 seconds, 200 packets are received within 2 seconds, and a packet type number threshold corresponding to each type of attribute information is set to be 30. Table 1 illustrates an example of attribute information of a plurality of packets.
Table 1 example of attribute information for multiple packets
As shown in table 1, the total number of received messages within 2 seconds of the preset duration is 200, the messages are classified according to the attribute information, and the number of the messages corresponding to each attribute information is determined. The type of the message in the attribute information 1 is an authentication message, the source address is MAC1, and the corresponding message quantity is 40; the type of the message in the attribute information 2 is an associated message, the source address is MAC1, and the corresponding message quantity is 25; the type of the message in the attribute information 3 is a de-authentication message, the source address is MAC1, and the corresponding message quantity is 25; the type of the message in the attribute information 4 is a beacon message, the source address is MAC2, and the number of the corresponding messages is 20; the type of the message in the attribute information 5 is an associated message, the source address is MAC2, and the number of the corresponding messages is 35; the type of the message in the attribute information 6 is an authentication message, the source address is MAC3, and the corresponding message quantity is 25; the type of the message in the attribute information 7 is a disassociation message, the source address is MAC3, and the corresponding number of messages is 30. The number threshold of the message types corresponding to each attribute information is 30, wherein the number of the authentication messages corresponding to the attribute information 1 in table 1 is 40, and the number of the association messages corresponding to the attribute information 5 in table 1 is 35, both of which are greater than the number threshold of the message types corresponding to each attribute information 30, so that it can be determined that 40 messages corresponding to the attribute information 1 and 35 messages corresponding to the attribute information 5 are attack messages.
In the embodiment of the invention, the wireless attack defense device receives a plurality of messages within a preset time length; analyzing each message in the plurality of messages, and determining attribute information of each message in the plurality of messages; the attribute information comprises the message type and the source address of the message; determining a message corresponding to the attribute information in the plurality of messages as an attack message under the condition that the number of the messages corresponding to the attribute information is larger than the threshold value of the number of the message types corresponding to the attribute information aiming at each attribute information in all the attribute information corresponding to the plurality of messages; therefore, the attack message can be effectively determined; deleting the message determined as the attack message through the drive module of the wireless AP, so that on one hand, the attack message is deleted, wireless attack defense is effectively carried out, and the attack message is prevented from entering the kernel module of the wireless AP; on the other hand, after the attack message is determined, the attack message is deleted through the driving module of the wireless AP, the information of the attack message does not need to be uploaded to the wireless centralized controller, and then wireless attack defense is carried out in time.
Based on the foregoing embodiment, correspondingly, the method for defending against a wireless attack applied to a wireless AP according to the embodiment of the present invention further includes: for each attribute information in all attribute information corresponding to a plurality of messages, under the condition that the number of the messages corresponding to the attribute information is not larger than the threshold value of the number of the message types corresponding to the attribute information: and sending the message corresponding to the attribute information in the received multiple messages to a kernel module of the wireless AP through a driving module of the wireless AP.
In the embodiment of the present invention, the attribute information of a plurality of messages is described as an example of the content shown in table 1. As shown in table 1, the total number of received messages within 2 seconds of the preset duration is 200, the messages are classified according to the attribute information, and the number of the messages corresponding to each attribute information is determined. The threshold value of the number of message types corresponding to each attribute information is 30, as shown in table 1, the message type in the attribute information 2 is an associated message, the source address is MAC1, and the corresponding number of messages is 25; the type of the message in the attribute information 3 is a de-authentication message, the source address is MAC1, and the corresponding message quantity is 25; the type of the message in the attribute information 4 is a beacon message, the source address is MAC2, and the number of the corresponding messages is 20; the type of the message in the attribute information 6 is an authentication message, the source address is MAC3, and the corresponding message quantity is 25; the type of the message in the attribute information 7 is a disassociation message, the source address is MAC3, and the corresponding number of the messages is 30; therefore, the messages whose number of messages corresponding to the attribute information is not greater than the threshold of the number of message types corresponding to the attribute information are: and sending the messages corresponding to the attribute information 2, the attribute information 3, the attribute information 4, the attribute information 6 and the attribute information 7 to a kernel module of the wireless AP through a driving module of the wireless AP. Therefore, in the embodiment of the invention, the driving module of the wireless AP only sends the normal message to the kernel module of the wireless AP, and the situation that whether the normal message is an attack message is determined by sending all messages to the kernel module of the wireless AP in the prior art is not the case that the normal message is sent to the kernel module of the wireless AP, so that the embodiment of the invention can prevent the kernel module of the wireless AP from processing a large number of attack messages to cause a hang-up state, and saves the resource occupancy rate of the kernel of the wireless AP.
The embodiment of the present invention provides another embodiment, and for each attribute information in all attribute information corresponding to a plurality of messages, a value of a flag bit of a message type included in the attribute information is set to a preset value; the preset values comprise zero and a first preset value, wherein the first preset value is an integer which is not zero; if the preset value is zero, the message number of the message type included in the attribute information is not more than the message type number threshold value corresponding to the attribute information; or; if the preset value is the first preset value, it indicates that the number of the message types included in the attribute information is greater than the threshold value of the number of the message types corresponding to the attribute information.
Specifically, determining whether a plurality of messages are attack messages according to the preset value of the flag bit of the message type includes the following two conditions: one situation is: determining a message corresponding to the attribute information in the plurality of messages as an attack message under the condition that the number of the messages corresponding to the attribute information is larger than the threshold value of the number of the message types corresponding to the attribute information, wherein the determining comprises the following steps: under the condition that the number of the messages corresponding to the attribute information is determined to be larger than the threshold value of the number of the message types corresponding to the attribute information: setting the value of the flag bit of the message type included in the attribute information as a first preset value, and recording a source address included in the attribute information; determining the message types in the plurality of messages and the message corresponding to the source address as an attack message under the condition that the value of the zone bit of the message type is determined to be a first preset value; and deleting the message determined as the attack message through a driving module of the wireless AP. The other situation is as follows: under the condition that the number of the messages corresponding to the attribute information is not larger than the threshold value of the number of the message types corresponding to the attribute information: and setting the value of the flag bit of the message type included in the attribute information to zero, determining that the message corresponding to the attribute information is not an attack message, and sending the message corresponding to the attribute information in the received multiple messages to a kernel module of the wireless AP through a driving module of the wireless AP.
It should be noted that the first preset values corresponding to the flag bits of different message types are different; for example, taking the example that the message types include an authentication message, a de-authentication message, an association message, a beacon message, and a de-association message, the first preset value corresponding to the flag bit of the authentication message is 1, the first preset value corresponding to the flag bit of the de-authentication message is 2, the first preset value corresponding to the flag bit of the association message is 3, the first preset value corresponding to the flag bit of the de-association message is 4, and the first preset value corresponding to the flag bit of the beacon message is 5.
In order to more clearly describe how to determine the attack packet according to the preset value, in the embodiment of the present invention, the attribute information of a plurality of packets is described as an example of the content shown in table 1.
Table 2 exemplarily shows an example of the preset values obtained according to the attribute information of the plurality of packets shown in table 1.
As shown in table 2, classification is performed based on the packet type in each attribute information of 200 packets received within 2 seconds, and the preset values corresponding to the flag bits of different packet types are determined according to the packet number corresponding to the packet type in each attribute information. In table 1, 200 messages are classified according to the number of messages corresponding to the message type in each attribute information, and then a preset value corresponding to the attribute information 1 is 1, a preset value corresponding to the attribute information 2 is 0, a preset value corresponding to the attribute information 3 is 0, a preset value corresponding to the attribute information 4 is 0, a preset value corresponding to the attribute information 5 is 3, a preset value corresponding to the attribute information 6 is 0, and a preset value corresponding to the attribute information 7 is 0; that is to say, the preset value corresponding to the attribute information 1 is the first preset value, and the preset value corresponding to the attribute information 5 is the first preset value, that is to say, both the message corresponding to the attribute information 1 and the message corresponding to the attribute information 5 are attack messages, and then the attack messages are deleted through the driving module of the wireless AP.
As can be seen from the above example, in the embodiment of the present invention, by setting the value of the flag bit of the packet type included in each attribute information to a preset value, it is determined whether a packet corresponding to each attribute information in a plurality of packets is an attack packet according to the preset value; therefore, the wireless network attack can be quickly detected, and the wireless network attack can be quickly defended.
Optionally, after determining a packet corresponding to the attribute information in the multiple packets as an attack packet, the method further includes: and reporting the source address corresponding to the attack message. In the embodiment of the invention, the source address corresponding to the attack message is reported through the message filtering module, so that the upper application software can record the source address included in the attack message and the attack log in each preset time length. Therefore, the attack log on the wireless AP is convenient for users to consult so as to further establish the strategy of wireless attack defense.
The embodiment of the invention combines a wireless attack defense device to specifically explain the wireless attack defense process: the wireless attack defense method is completed in a Linux module driver, and is completed by the cooperation of a message receiving module, a message analysis module, a message statistical module, a timer detection module and a message filtering module, and the specific process is as follows:
the message receiving module receives a plurality of messages acquired from a wireless data message interface and sends the plurality of messages to a cache region of the message analyzing module; before each preset time length starts, initializing a cache region of a message analysis module, and resetting the cache region to zero so as to enable messages cached in the cache region to be a plurality of messages within the preset time length;
the message analysis module analyzes a plurality of messages in the cache region, calls an analysis function to analyze the attribute information of each message to obtain the message type and the source address of each message, and calls an output interface to output the message type and the source address of each message to the message statistical module;
the message counting module counts the number of messages corresponding to each source address and message type through a message counting structure body according to the message type and the source address of each received message, and sends a counting result to the timer detection module after receiving a timing signal sent by the timer detection module; initializing a message statistical structure body before use;
the timer detection module sets a flag bit of a message type included in the attribute information of each message to be a preset value according to the number of messages corresponding to the attribute information of each message; setting a preset value to be zero when the number of the messages corresponding to the attribute information is not more than the threshold value of the number of the message types corresponding to the attribute information; setting a preset value as a first preset value and recording a source address included by the attribute information under the condition that the number of the messages corresponding to the attribute information is greater than the threshold value of the number of the message types corresponding to the attribute information; the timer detection module sends a source address and a preset value included by the attribute information to the message filtering module;
after the message filtering module receives the source address and the preset value of the zone bit included by the attribute information, the message filtering module processes a plurality of messages: if the preset values corresponding to the zone bits of all the message types are determined to be zero, directly sending a plurality of messages to a kernel module; if the first preset value exists in the preset values corresponding to the zone bits of all the message types, determining the message corresponding to the first preset value as an attack message, recording a source address in the attack message, and deleting the attack message.
According to the embodiment of the invention, whether the attack message exists or not can be detected within the preset time, and the attack message is directly deleted in the drive module of the wireless AP under the condition of determining the attack message, so that the time delay of wireless attack defense is reduced, the wireless attack defense is effectively and timely carried out, and the stability of the network where the network equipment accessed to the wireless access point is located is improved.
In any of the foregoing embodiments, the packet type included in the attribute information includes any one of the following: authentication message, deauthentication message, association message, disassociation message, Dynamic Host Configuration Protocol (DHCP) message, and beacon message.
In the embodiment of the invention, the wireless attack types include a disk operating system Authentication (Authentication Dos) attack message, a Deauthentication (Deauthentication) message attack, a Disassociation (Disassociation look) message attack, a DHCP flooding attack, a Beacon message attack (Beacon flow) and the like.
In order to more clearly describe the above method flow, the following examples are provided in the embodiments of the present invention.
Fig. 3 is a schematic flowchart illustrating another wireless attack defense method applied to a wireless AP according to an embodiment of the present invention, where based on the system architecture shown in fig. 1, as shown in fig. 3, another wireless attack defense method applied to a wireless AP according to an embodiment of the present invention is implemented by a wireless attack defense device; the method comprises the following steps:
step S301: receiving a plurality of messages within a preset time length through a message receiving module;
step S302: analyzing each message in the plurality of messages through a message analysis module, and determining attribute information of each message in the plurality of messages; the attribute information comprises the message type and the source address of the message; the message type included in the attribute information includes any one of the following: authentication message, de-authentication message, association message, de-association message, Dynamic Host Configuration Protocol (DHCP) message, and beacon message.
Step S303: counting the number of messages corresponding to the attribute information of each message in the plurality of messages through a message counting module, and sending the plurality of messages, the attribute information and the number of messages corresponding to the attribute information to a timer detection module;
step S304: determining whether the number of the messages corresponding to the attribute information is larger than a message type number threshold value corresponding to the attribute information or not through a timer detection module aiming at each attribute information in all the attribute information corresponding to a plurality of messages; if yes, sending all messages of which the number of the messages corresponding to the attribute information is greater than the threshold value of the number of the message types corresponding to the attribute information to a timer detection module, and executing the step S305; if not, all messages of which the number of the messages corresponding to the attribute information is not more than the threshold value of the number of the message types corresponding to the attribute information are sent to a timer detection module, and the step S306 is executed;
step S305: setting the value of the flag bit of the message type included in the attribute information to be a first preset value through a timer detection module, recording the source address included in the attribute information, sending the message corresponding to the attribute information, the first preset value corresponding to the flag bit of the message type and the source address to a message filtering module, and executing the step S307;
step S306: setting the value of the flag bit of the message type included in the attribute information to zero through a timer detection module, and sending the message corresponding to the attribute information and the value zero corresponding to the flag bit of the message type to a message filtering module;
step S307: determining whether the value of the flag bit of the message type included in the attribute information is set to a first preset value or not through a message filtering module; if yes, go to step S308; if not, go to step S311;
step S308: determining a message corresponding to the message type included in the attribute information in the plurality of messages as an attack message through a message filtering module;
step S309: deleting the message determined as the attack message through a message filtering module;
step S310: reporting a source address corresponding to the attack message through a message filtering module;
step S311: and sending the message corresponding to the attribute information in the received multiple messages to a kernel module of the wireless AP through a message filtering module.
From the above, it can be seen that: the wireless attack defense device is arranged on the wireless AP, and receives a plurality of messages within a preset time length; analyzing each message in the plurality of messages, and determining attribute information of each message in the plurality of messages; the attribute information comprises the message type and the source address of the message; determining a message corresponding to the attribute information in the plurality of messages as an attack message under the condition that the number of the messages corresponding to the attribute information is larger than the threshold value of the number of the message types corresponding to the attribute information aiming at each attribute information in all the attribute information corresponding to the plurality of messages; therefore, the attack message can be effectively determined; deleting the message determined as the attack message through the drive module of the wireless AP, so that on one hand, the attack message is deleted, wireless attack defense is effectively carried out, and the attack message is prevented from entering the kernel module of the wireless AP; on the other hand, after the attack message is determined, the attack message is deleted through the driving module of the wireless AP, the information of the attack message does not need to be uploaded to the wireless centralized controller, and then wireless attack defense is carried out in time. Moreover, the method provided by the embodiment of the invention saves the overhead caused in the network transmission process in the prior art that the information of the attack message needs to be sent to the wireless centralized controller, thereby reducing the network load and improving the stability and the safety of the network where the network equipment accessed to the wireless AP is positioned. Further, the method provided by the embodiment of the present invention is applicable to many wireless network architectures, and is not limited to the network architecture including the wireless AP and the wireless centralized controller AC, so that the method of the embodiment of the present invention may be implemented in any network architecture including the wireless AP, and the portability of the method is good.
Fig. 4 is a schematic structural diagram illustrating a wireless attack defense device applied to a wireless AP according to an embodiment of the present invention.
Based on the same conception, the wireless attack defense device applied to the wireless AP provided by the embodiment of the invention is used for executing the method flow, and the wireless attack defense device is positioned on the driving module of the wireless AP; as shown in fig. 4, the wireless attack defense apparatus 400 includes a message receiving module 401, a message parsing module 402, a message counting module 403, and a message filtering module 405; the wireless attack defense apparatus 400 further includes a timer detection module 404, wherein:
a message receiving module 401, configured to receive multiple messages within a preset duration;
a message analyzing module 402, configured to analyze each message in the multiple messages, and determine attribute information of each message in the multiple messages; the attribute information comprises the message type and the source address of the message;
a message counting module 403, configured to count, for each attribute information in all attribute information corresponding to the multiple messages, the number of messages corresponding to the attribute information;
a message filtering module 405, configured to determine, as an attack message, a message corresponding to the attribute information in the multiple messages when it is determined that the number of the messages corresponding to the attribute information is greater than the threshold of the number of message types corresponding to the attribute information, and delete the message determined as the attack message.
Optionally, the packet filtering module 405 is further configured to: under the condition that the number of the messages corresponding to the attribute information is not larger than the threshold value of the number of the message types corresponding to the attribute information: and sending the received message corresponding to the attribute information in the plurality of messages to a kernel module of the wireless AP.
Optionally, the wireless attack defense apparatus 400 further includes a timer detection module 404 configured to: receiving indication information sent by the message counting module 403 when counting that the number of the messages corresponding to the attribute information is greater than the threshold of the number of the message types corresponding to the attribute information; the indication information is used to indicate the timer detection module 404 to set a flag bit of a packet type included in the attribute information to a first preset value; setting a flag bit of a message type included in the attribute information as a first preset value according to the indication information; recording a source address included in the attribute information; sending the source address included in the attribute information to the message filtering module 405; the packet filtering module 405 is configured to: receiving a source address included in the attribute information; and under the condition that the value of the zone bit of the message type is determined to be the first preset value, determining the message type in the plurality of messages and the message corresponding to the source address as an attack message.
Optionally, the packet type included in the attribute information includes any one of the following: authentication message, de-authentication message, association message, de-association message, Dynamic Host Configuration Protocol (DHCP) message, and beacon message.
Optionally, the packet filtering module 405 is further configured to: and reporting the source address corresponding to the attack message.
From the above, it can be seen that: the wireless attack defense device is arranged on the wireless AP, and receives a plurality of messages within a preset time length; analyzing each message in the plurality of messages, and determining attribute information of each message in the plurality of messages; the attribute information comprises the message type and the source address of the message; determining a message corresponding to the attribute information in the plurality of messages as an attack message under the condition that the number of the messages corresponding to the attribute information is larger than the threshold value of the number of the message types corresponding to the attribute information aiming at each attribute information in all the attribute information corresponding to the plurality of messages; therefore, the attack message can be effectively determined; deleting the message determined as the attack message through the drive module of the wireless AP, so that on one hand, the attack message is deleted, wireless attack defense is effectively carried out, and the attack message is prevented from entering the kernel module of the wireless AP; on the other hand, after the attack message is determined, the attack message is deleted through the driving module of the wireless AP, the information of the attack message does not need to be uploaded to the wireless centralized controller, and then wireless attack defense is carried out in time. Moreover, the method provided by the embodiment of the invention saves the overhead caused in the network transmission process in the prior art that the information of the attack message needs to be sent to the wireless centralized controller, thereby reducing the network load and improving the stability and the safety of the network where the network equipment accessed to the wireless AP is positioned. Further, the method provided by the embodiment of the present invention is applicable to many wireless network architectures, and is not limited to the network architecture including the wireless AP and the wireless centralized controller AC, so that the method of the embodiment of the present invention may be implemented in any network architecture including the wireless AP, and the portability of the method is good.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, embodiments of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
Embodiments of the present invention are described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various modifications and variations can be made in the embodiments of the present invention without departing from the spirit and scope of the application. Thus, if such modifications and variations of the embodiments of the present invention fall within the scope of the claims of the present application and their equivalents, the present application is also intended to encompass such modifications and variations.
Claims (8)
1. A wireless attack defense method applied to a wireless Access Point (AP), the method comprising:
receiving a plurality of messages within a preset time length;
analyzing each message in the plurality of messages, and determining attribute information of each message in the plurality of messages; the attribute information comprises the message type and the source address of the message;
determining a message corresponding to the attribute information in the plurality of messages as an attack message under the condition that the number of the messages corresponding to the attribute information is larger than the threshold value of the number of the message types corresponding to the attribute information aiming at each attribute information in all the attribute information corresponding to the plurality of messages;
deleting the message determined as the attack message through a driving module of the wireless AP;
wherein the method further comprises:
under the condition that the number of the messages corresponding to the attribute information is not larger than the threshold value of the number of the message types corresponding to the attribute information: and sending the received message corresponding to the attribute information in the plurality of messages to a kernel module of the wireless AP through a driving module of the wireless AP.
2. The method according to claim 1, wherein determining, in the case that it is determined that the number of packets corresponding to the attribute information is greater than the threshold of the number of packet types corresponding to the attribute information, a packet corresponding to the attribute information in the plurality of packets as an attack packet includes:
under the condition that the number of the messages corresponding to the attribute information is determined to be larger than the threshold value of the number of the message types corresponding to the attribute information:
setting the value of the flag bit of the message type included in the attribute information as a first preset value, and recording a source address included in the attribute information;
and under the condition that the value of the zone bit of the message type is determined to be the first preset value, determining the message type in the plurality of messages and the message corresponding to the source address as an attack message.
3. The method according to claim 1 or 2, wherein the packet type included in the attribute information includes any one of:
authentication message, de-authentication message, association message, de-association message, dynamic network device configuration protocol (DHCP) message, and beacon message.
4. The method according to claim 1, wherein after determining the packet corresponding to the attribute information in the plurality of packets as an attack packet, the method further comprises:
and reporting the source address corresponding to the attack message.
5. A wireless attack defense device applied to a wireless Access Point (AP), wherein the wireless attack defense device is positioned on a driving module of the wireless AP; the device comprises:
the message receiving module is used for receiving a plurality of messages within a preset time length;
the message analysis module is used for analyzing each message in the plurality of messages and determining the attribute information of each message in the plurality of messages; the attribute information comprises the message type and the source address of the message;
the message counting module is used for counting the number of the messages corresponding to the attribute information aiming at each attribute information in all the attribute information corresponding to the plurality of messages;
the message filtering module is used for determining the message corresponding to the attribute information in the plurality of messages as an attack message and deleting the message determined as the attack message under the condition that the number of the messages corresponding to the attribute information is larger than the message type number threshold value corresponding to the attribute information;
wherein, the message filtering module is further configured to:
under the condition that the number of the messages corresponding to the attribute information is not larger than the threshold value of the number of the message types corresponding to the attribute information: and sending the received message corresponding to the attribute information in the plurality of messages to a kernel module of the wireless AP.
6. The wireless attack defense apparatus according to claim 5, wherein the wireless attack defense apparatus further comprises a timer detection module for:
receiving indication information sent by the message counting module under the condition that the counted number of the messages corresponding to the attribute information is larger than the threshold value of the number of the message types corresponding to the attribute information; the indication information is used for indicating the timer detection module to set a flag bit of a message type included in the attribute information to a first preset value;
setting a flag bit of a message type included in the attribute information as a first preset value according to the indication information;
recording a source address included in the attribute information;
sending the source address included in the attribute information to the message filtering module;
the message filtering module is used for:
receiving a source address included in the attribute information;
and under the condition that the value of the zone bit of the message type is determined to be the first preset value, determining the message type in the plurality of messages and the message corresponding to the source address as an attack message.
7. The wireless attack defense apparatus according to claim 5 or 6, wherein the packet type included in the attribute information includes any one of:
authentication message, de-authentication message, association message, de-association message, Dynamic Host Configuration Protocol (DHCP) message, and beacon message.
8. The wireless attack defense apparatus according to claim 5, wherein the packet filtering module is further configured to:
and reporting the source address corresponding to the attack message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710165669.XA CN106790299B (en) | 2017-03-20 | 2017-03-20 | Wireless attack defense method and device applied to wireless Access Point (AP) |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710165669.XA CN106790299B (en) | 2017-03-20 | 2017-03-20 | Wireless attack defense method and device applied to wireless Access Point (AP) |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106790299A CN106790299A (en) | 2017-05-31 |
| CN106790299B true CN106790299B (en) | 2020-06-23 |
Family
ID=58966390
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710165669.XA Expired - Fee Related CN106790299B (en) | 2017-03-20 | 2017-03-20 | Wireless attack defense method and device applied to wireless Access Point (AP) |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106790299B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108419238A (en) * | 2018-02-02 | 2018-08-17 | 浙江大华技术股份有限公司 | A kind of method and device of detection rogue AP |
| CN116155797A (en) * | 2020-05-13 | 2023-05-23 | 华为技术有限公司 | Protocol message processing method, network equipment and computer storage medium |
| CN115396125A (en) * | 2021-05-07 | 2022-11-25 | 中国移动通信集团有限公司 | WIFI attack detection method and device, WIFI attack detection equipment and computer program |
| CN113542012B (en) * | 2021-06-23 | 2023-01-10 | 江苏云洲智能科技有限公司 | Fault detection method, fault detection device and electronic equipment |
| CN113965584B (en) * | 2021-12-21 | 2022-05-13 | 北京达佳互联信息技术有限公司 | Message processing method, device, apparatus and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101286996A (en) * | 2008-05-30 | 2008-10-15 | 北京星网锐捷网络技术有限公司 | Storm attack resisting method and apparatus |
| CN102036247A (en) * | 2010-11-29 | 2011-04-27 | 桂林电子科技大学 | Method for defending single node invasive attack in wireless network |
| CN102036248A (en) * | 2010-12-23 | 2011-04-27 | 北京星网锐捷网络技术有限公司 | Method and system for defending denial of service attack, wireless access point and wireless controller |
| CN102547714A (en) * | 2011-12-28 | 2012-07-04 | 福建三元达通讯股份有限公司 | Method for preventing flooding attack in wireless local area network |
| CN104378369A (en) * | 2014-11-11 | 2015-02-25 | 上海斐讯数据通信技术有限公司 | Wireless flooding attack prevention method |
| CN105450647A (en) * | 2015-11-27 | 2016-03-30 | 上海斐讯数据通信技术有限公司 | Method and system for preventing message attacks |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| FR2888695A1 (en) * | 2005-07-13 | 2007-01-19 | France Telecom | DETECTION OF INTRUSION BY MISMATCHING DATA PACKETS IN A TELECOMMUNICATION NETWORK |
-
2017
- 2017-03-20 CN CN201710165669.XA patent/CN106790299B/en not_active Expired - Fee Related
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101286996A (en) * | 2008-05-30 | 2008-10-15 | 北京星网锐捷网络技术有限公司 | Storm attack resisting method and apparatus |
| CN102036247A (en) * | 2010-11-29 | 2011-04-27 | 桂林电子科技大学 | Method for defending single node invasive attack in wireless network |
| CN102036248A (en) * | 2010-12-23 | 2011-04-27 | 北京星网锐捷网络技术有限公司 | Method and system for defending denial of service attack, wireless access point and wireless controller |
| CN102547714A (en) * | 2011-12-28 | 2012-07-04 | 福建三元达通讯股份有限公司 | Method for preventing flooding attack in wireless local area network |
| CN104378369A (en) * | 2014-11-11 | 2015-02-25 | 上海斐讯数据通信技术有限公司 | Wireless flooding attack prevention method |
| CN105450647A (en) * | 2015-11-27 | 2016-03-30 | 上海斐讯数据通信技术有限公司 | Method and system for preventing message attacks |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106790299A (en) | 2017-05-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106790299B (en) | Wireless attack defense method and device applied to wireless Access Point (AP) | |
| US11671402B2 (en) | Service resource scheduling method and apparatus | |
| EP2533492B1 (en) | A node device and method to prevent overflow of pending interest table in name based network system | |
| EP2615793A1 (en) | Methods and systems for protecting network devices from intrusion | |
| CN110830986B (en) | Method, device, equipment and storage medium for detecting abnormal behavior of Internet of things card | |
| WO2018032936A1 (en) | Method and device for checking domain name generated by domain generation algorithm | |
| US11665179B2 (en) | Threat detection method and apparatus | |
| WO2020037781A1 (en) | Anti-attack method and device for server | |
| CN110944016B (en) | DDoS attack detection method, device, network equipment and storage medium | |
| CN111314328A (en) | Network attack protection method and device, storage medium and electronic equipment | |
| CN103347031B (en) | A kind of method and apparatus taking precautions against ARP message aggression | |
| CN108183884B (en) | Network attack determination method and device | |
| CN105516200A (en) | Cloud system security processing method and device | |
| CN104601578A (en) | Recognition method and device for attack message and core device | |
| CN113098852A (en) | Log processing method and device | |
| CN111478860A (en) | Network control method, device, equipment and machine readable storage medium | |
| CN105450647A (en) | Method and system for preventing message attacks | |
| CN114172831B (en) | Brute force cracking method, system, computer and storage medium | |
| KR101374009B1 (en) | Apparatus and method for preventing abnormal traffic | |
| CN110932733B (en) | Key scanning method and input device | |
| CN111182551A (en) | Network security protection method and system | |
| US20230141028A1 (en) | Traffic control server and method | |
| US20100157806A1 (en) | Method for processing data packet load balancing and network equipment thereof | |
| KR20120012229A (en) | Apparatus and method for dropping transmission and reception of unnecessary packets | |
| CN114244593B (en) | DNS security defense method and system, electronic equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20180226 Address after: 510663 Shenzhou Road, Guangzhou Science City, Guangzhou, Guangzhou economic and Technological Development Zone, Guangdong Province, No. 10 Applicant after: COMBA TELECOM SYSTEMS (CHINA) Ltd. Applicant after: COMBA TELECOM SYSTEMS (GUANGZHOU) Ltd. Applicant after: COMBA TELECOM TECHNOLOGY (GUANGZHOU) Ltd. Applicant after: TIANJIN COMBA TELECOM SYSTEMS Ltd. Address before: 510663 Guangdong city of Guangzhou province Guangzhou economic and Technological Development Zone Jinbi Road No. 6 Applicant before: COMBA TELECOM TECHNOLOGY (GUANGZHOU) Ltd. |
|
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20200108 Address after: 510663 Shenzhou Road 10, Guangzhou Science City, Guangzhou economic and Technological Development Zone, Guangzhou, Guangdong Applicant after: COMBA TELECOM SYSTEMS (CHINA) Ltd. Address before: 510663 Shenzhou Road, Guangzhou Science City, Guangzhou, Guangzhou economic and Technological Development Zone, Guangdong Province, No. 10 Applicant before: COMBA TELECOM SYSTEMS (CHINA) Ltd. Applicant before: COMBA TELECOM SYSTEMS (GUANGZHOU) Ltd. Applicant before: COMBA TELECOM TECHNOLOGY (GUANGZHOU) Ltd. Applicant before: TIANJIN COMBA TELECOM SYSTEMS Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 510663 Shenzhou Road 10, Guangzhou Science City, Guangzhou economic and Technological Development Zone, Guangzhou, Guangdong Patentee after: Jingxin Network System Co.,Ltd. Address before: 510663 Shenzhou Road 10, Guangzhou Science City, Guangzhou economic and Technological Development Zone, Guangzhou, Guangdong Patentee before: COMBA TELECOM SYSTEMS (CHINA) Ltd. |
|
| CP01 | Change in the name or title of a patent holder | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20200623 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |